The Evolving Value Proposition and Impact of Identity...
-
Upload
nguyenkiet -
Category
Documents
-
view
220 -
download
4
Transcript of The Evolving Value Proposition and Impact of Identity...
The Evolving Value Proposition and Impact of
Identity Management
David Sherry, CISSP CISMVP – Enterprise Identity & Access MgmtCitizens Financial Group
Presentation Overview
• About Citizens Financial• A quick poll• What is Identity Management? (“IdM”)• The Citizens Case Study• To role or not to role?• Think enterprise: Framework and
governance• Service offerings and Compliance• Key points to success and some cautions• Changing mindsets, and the future
About Citizens Financial Group
• Citizens Financial is owned by RBS Group
• Financial holding company (11 areas)
• 7th-largest U.S. commercial bank
• $180 billion in assets
• Headquartered in Providence, R.I.
• More than 1,600 branches in 13 states
• Approximately 3,100 ATMs
• 27,000 employees in over 30 states
Who’s Doing What?
May I have a show of hands?
• Legacy access concerns• Multiple ID possibilities• Multiple repositories with no
reconciliation• Difficulties in auditing• Lack of scalability• Outdated processes• Lack of automation• Convoluted processing• Inaccurate account creation• Downtime from processing SLA’s
* Responses culled from numerous on-line sources in 2003
Original Marketing Drivers for IdM *
• Projected growth• Legacy access concerns• Lack of scalability / outdated processes• Multiple repositories with no
reconciliation• A focus on straight-through processing• Inefficiencies and productivity concerns• Ease of auditing growing in importance• Regulatory Compliance
Why the need at Citizens?
One View of Identity ManagementWhat is identity management to Citizens?
The automated management of a colleague’s access across multiple disparate systems using a centralized administrative application, with ease of provisioning, modification and deprovisioning.
Identity Management Benefits• Provisioning and management of users• Easily accessible audit trail of system accounts• Delegated administration• Automated approval processes• Reduced paperwork• Password synchronization
“Providing the right people with theright access at the right time”
InfoSec presented a two-fold justification to get funding for IdM in 2003:• Strategic – InfoSec in its current state would be a
hindrance to growth and acquisition. An IdM solution would provide efficient acquisition on-boarding, as well as a reduced staffing model and sustainable process for exponential growth.
• Tactical – InfoSec is relying on manual, paper-based processing for provisioning, modification and deprovisioning, with audit issues, legacy access and accuracy concerns. An IdM solution would dramatically increase speed, accuracy and compliance.
Drivers
Challenges to Beginning the Program
• Political• Technological• Process• Compliance• Service levels
• Costs• Undervalued benefit• Prioritization• Complexity
Challenges to the Value Proposition
What IS the Value Proposition?
• Hard-core savings• Administrative gain• Soft savings• Integrated security• Integrated compliance support
Spotlight on IdM…circa 2008
• 2003 and earlier • An IT issue (provisioning, access, legacy accounts,
efficiencies, automation, accuracy, etc.)
• 2006 and 2007• A business issue (federation, convergence,
compliance, etc.)
• 2008 and beyond• The spotlight is on IdM brighter than ever• Regulatory oversight, public concerns over ID
theft, the maturation of federation solutions, increased use of web SSO, etc.
An Evolving and Shifting Focus
• From purely operational to strategic
• From purely tactical to an enabler
• From purely a technology to a compliance engine
Vendors – then and now
• Nine, to five, to four, to two . . .• BMC: Control-SA• IBM: Tivoli Identity Manager
• Now. . . The major leagues, and the supporting minor leagues:• IBM, Oracle, Sun, Novell, CA . . .• Courion Corp., BMC, Symark Software, Identity
Engines Inc. . . • And over 50 others who identify with this space
A Note of Caution About Vendors
• The vendor’s view: A “project”• What they want: A “sale”• How they do it: A “demo”
Roles: Should you, what, and how?• Define and establish a success criteria
l Base levell Organizational levell Role-based (or granular) level
• Establish your methods in advancel Top down (lifestyle, conceptual)l Bottom up (tactical and real world, but changing)l Hybrid
• Decide your role engineering processl Self-developmentl Automatedl Manuall Observance
• Other role considerations:l Repositoriesl Certificationl Attestationl Lifecycle
Think Enterprise . . .
• Any IdM Solution is truly enterprise wide• Manage the business lines to think “process change”• Sell the benefits of compliance and risk mitigation• Ensure that your a strategy combines adherence to
standards and security, but is also rooted in clear business goals
• Integrate smoothly with an overall User Access Program• Be inclusive!
• One document can help you in this regard:• The Identity Management Framework
User Access Program (UAP)l An IdM solution should seamlessly integrate with a
corporation’s overall user access methodology, as one component of the strategy to fulfill access control objectives.
l A UAP may include Governance, Consulting Services, Operations, Auditor/Examiner Support, Assessment & Remediation Services, and Continuous Improvement.
l IdM will be both “operational” and “continuous improvement”:l Examples:l Access Request Automationl Provisioning Automationl Intelligent Role Engineeringl Role Management Lifecycle
User Access Program (UAP)
IdM as a Service Offering
• Common drivers across technology projects• Provides consistency, uniformity, and auditability, while reducing
design hurdles and roadblocks. Common drivers ensure reliability in process.
• Repeatable Processes / Reusable Components• reduces development costs, and defines and enforces integration
standards
• Provides opportunities for cost-saving• decreases administrative costs for user management, and can
efficiently support high growth
• Security as an enabler• Delegated administration allows the business line access flexibility;
people get to work quicker with the agreed-upon access
• An unforeseen benefit• A fundamental change in mindset at Citizens - from a tactical and
operational model relative to identity management, to a enablingand compliance model
Regulatory Compliance
•Role-based access enforces segregation of duties
•Ability to track approval trails
•Granular access controls•Centralized repository
Title V:•Financial institutions must protect
the confidentiality and integrity of customer data
•Financial institutions must protect against unauthorized access to customers personal information
GLBA
•Automated de-provisioning
•Role-based access enforces segregation of duties
•Automated reports•Centralized repository for
access reports•Auditable changes
Sections 302 and 404:•Appropriate Access Controls•Periodic Review of Access•Segregation of Duties•Sustained and Demonstrable
Internal Controls
Sarbanes-Oxley
Compliance through IdMRequirementRegulation
Big Wins for the IdM Program:
• Conversion success• Initial day provisioning• Population of Outlook properties• Compliance reports• Delegated authority• Support of physical access• Governance and framework• User Access Program driver
The Future
• Ensure new apps are integrated upon production
• Web SSO• Enterprise SSO• Federation• Role entitlements• Digital Rights Management• Integration of privileged passwords and
their use• Cell phones, credit cards, voice mail,
cubicles, hardware/software needs . . .
Key Points to Success• Understand the business, and identify key
stakeholders• Highlight the Risk Management / Compliance
aspects• Establish a Governance Framework• Manage expectations, maintain public
relations and navigate the political landscape• Build for one key area, but design for the
enterprise• Identify the “globally interesting data” early
and receive buy in• Show incremental progress and risk mgmt
wins• Most of all, perseverance!
Cautions
• The technology proves to be easy . . . not so the data
• Role definition is not easy . . . decide your methods in advance
• Limit your scope, and manage expectations
Closing Summary
• Identity Management’s “role” is evolving
• Identity Management’s value proposition is increasing in scope
• Look for ways to meet diverse needs with your IdM implementation
• Speak in terms of risk and capabilities, and not so much in technology
• The road is hard and filled with lessons to learn, but achievable
Questions?
Contact information:
David Sherry, CISSP CISM
VP, Enterprise Identity and Access Mgmt.
Citizens Financial Group
One Citizens Drive – ROP295
Riverside, RI 02915
401.282.3165